Standortbasierte Sicherheit: Pubsh-Nachricht wenn Buchung gemacht werden soll


#1

Wenn die Standortbasierte Sicherheit eingeschaltet ist, kann es vorkommen, dass Online-
Transaktionen abgelehnt werden, obwohl diese Plausibel sind.
Beispiel: Beim Buchen von Tickets für eine Alcatraz-Besichtigung werden zwei Buchungen gemach:

CREDIT CARD BILLING INFORMATION
There will be two charges listed on your credit card statement for your reservation:

  1. AlcatrazIslandTickets.com: 24.00
  2. Alcatraz Cruises: 99.25

Die erste Gebühr von 24.00 wird sofort abgebucht, ohne Probleme. Die zweite Gebühr wird geblockt.

Dies könnte verhindert werden, wenn diese nicht direkt abgelehnt würden, sondern eine Push-Nachricht auf das Handy kommt, wo gewählt werden kann, ob die Transaktion OK (=plausibel) ist oder nicht OK (=nicht plausibel). Automatisch wird erst abgelehnt, wenn nach Ablauf einer bestimmten Zeit (z.B. 2 Minuten) keine Eingabe vom Benutzer gemacht wird.


#2

That’s an interesting problem. I wonder how other payment processors handle that.


#3

Are you sure the payment was declined because of location based security? As far as I know, e-commerce transactions are exempt from this feature.


#4

Yes, because when i turned of this option, it works.


#5

If a payment is declined due to location based security, a notification appears saying so. Did you get such a notification? It could be just a coincidence that switching it of and your successful payment seem to be related.

For online payments verification is different. If the merchant follows regular rules here, a payment processor can differentiate online from POS payments. The location based security feature does not affect, to my knowledge, e-commerce transactions at all. You can buy a train ticket in the UK while being in Shanghai, for example. Or make a payment at Apple iTunes, technically in Luxembourg, while being in the UK.

So what might have happened here is that the merchant processed the 2nd payment not properly as e-commerce but as some sort of regular POS payment. This would have triggered location based security.

What you’re proposing as a potential solution is similar to how 3DS works for online shopping. I don’t think that this would be convenient. Location based security is designed for card present transactions: shops, restaurants, ATMs. These terminals expect shorter response times and what would one do if one does not have data coverage on vacation to accept a payment?


#6

Here is a screenshot of the transactions. The shop tried twice to charge. I subsequently placed the order again and deactivated the security. It worked there. The same happened to me when reserving campsites in the US.


#7

Okay, then my assumption is that this merchant does not process the payment as an online payment (as they should) but as a regular transaction like you would be there.

That would explain why the 1st transaction went through (was labled as online transaction) but the 2nd triggered the security feature. Basically, everything worked like it was designed to. :wink:


#8

I’ve disabled location based security after having had a similar issue. I think the best solution would be to have a pop up verification similar to 3D secure (after Revolut will finally have implemented it); generally, I think users would be willing to turn on a lot more popups (e.g. for the mag stripe, certain kinds of merchants, etc.); however, failing transactions get on my nerves, so instead of fiddling with settings and trying again, I leave stuff disabled (like location based security)…


#9

I don’t that would work under real life circumstances in shops. POS terminals aren‘t setbup for this, payment processors would probably generate time outs.


#10

Well, none of us really knows the protocol (I guess :D) and whether there is some point in which Revolut could hold on for a few seconds. Also, I’m not sure which entity decides on going / not going through the 3D secure procedure; is 3D secure possible for POS terminals?


#11

3DS is just one way of doing SCA. POS terminals by their nature are already setup to do SCA via 2FA - they can ask for a PIN.